Blogs

Tor at the Heart: Torservers.net

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

Torservers.net

The torservers.net organizational network currently consists of 20 non-profit organizations in 14 countries that have joined forces to turn donations into Tor exit bandwidth. Each of the organizations participates in local and global events to teach others about what they have learned and to exchange knowledge on what it means to run Tor relays, specifically exit relays.

In close partnership with The Tor Project Inc., member organizations test new experimental releases, contribute to research at universities, and host Tor user meetings in their areas. Torservers.net has worked with a number of lawyers to produce legal assessments and publish guidelines for how to deal with complaints. In some cases, torservers.net covers legal costs for exit operators when needed. Members contribute to Tor and its codebase in many ways. For anyone interested in Tor, reaching out to a local Torservers.net organization is a very good way to connect to Tor folks!

Member organizations:

Austrian Privacy Foundation (Austria)
Associated Whistleblowing Press (Belgium)
Coldhak (Canada)
Koumbit (Canada)
Electronic Frontier Finland (Finland)
Nos Oignons (France)
SaveYourPrivacy e.V. (Germany)
Zwiebelfreunde e.V. (Germany)
IceTor (Iceland)
Onion Italia (Italy)
DFRI: Föreningen för Digitala Fri- och Rättigheter (Sweden)
Swiss Privacy Foundation (Switzerland)
Cyber Arabs (Institute for War & Peace Reporting) (Lebanon)
Frënn vun der Ënn (Luxembourg)
Hart voor Internetvrijheid (Netherlands)
Access Now (USA)
CypherChaikhana (USA)
The Calyx Institute (USA)
The Library Freedom Project (USA)
NoiseTor (Noisebridge) (USA)

Tor at the Heart: Orbot and Orfox

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

Orbot and Orfox

Orbot is an app for Android that contains the core Tor service and provides connectivity to the Tor network for any app to utilize. Local HTTP and SOCKS proxies are enabled for any proxy-capable app, such as Twitter or Lightning Browser, to use. Orbot also provides an "Apps VPN" feature that redirects traffic from selected apps or the entire device through the Tor network. Finally, Orbot provides an API that allows any developer to build Tor support directly into their app, as demonstrated by apps like Facebook, DuckDuckGo and F-Droid.

Orfox is a web browser for Android that enables mobile phone users to have secure communications through the Tor network. Coupled with the Orbot app, Orfox users can have encryption and anonymity on the Internet. In addition, Orfox comes with NoScript and HTTPS Everywhere preinstalled, and a number of security settings are preselected to enhance your protection against malicious websites.

Orfox is built from the same source code as Tor Browser (which is built upon Firefox), but with a few minor modifications to the privacy enhancing features to make them compatible with Firefox for Android and the Android operating system. The Orfox repository is a fork of the Tor Browser repository, with the necessary modification and Android-specific code as patches on top of the Tor Browser work. Beyond the core Tor Browser components, Orfox also routes all Android-specific code through the Orbot Tor proxy and is otherwise hardened to protect against data and privacy leaks.

Both Orbot and Orfox are produced in partnership with Guardian Project (https://guardianproject.info), a collective of software developers, designers and activists with a focus and expertise on security and privacy solutions for mobile devices.

All of the project, source code and app install links for Orbot and Orfox are available here: https://guardianproject.info/apps/orbot/ and here: https://guardianproject.info/apps/orfox/. You can also jump right to the Tor Project's apps on Google Play here:
https://play.google.com/store/apps/developer?id=The+Tor+Project

And if you are already using Orfox - please update your app! Here is information on a release the team just put out that contains an important security update to Firefox.

Tor 0.2.9.6-rc is released

Tor 0.2.9.6-rc fixes a few remaining bugs found in the previous alpha version. We hope that it will be ready to become stable soon, and we encourage everyone to test this release. If no showstopper bugs are found here, the next 0.2.9 release will be stable.

You can download the source from the usual place on the website. Packages should be available over the next several days, including an alpha TorBrowser release around December 14. Remember to check the signatures!

Please note: This is a release candidate. I think it's pretty stable, but bugs can always remain. If you want a stable experience, please stick to the stable releases.

Below are the changes since 0.2.9.5-alpha.

Changes in version 0.2.9.6-rc - 2016-12-02

  • Major bugfixes (relay, resolver, logging):
    • For relays that don't know their own address, avoid attempting a local hostname resolve for each descriptor we download. This will cut down on the number of "Success: chose address 'x.x.x.x'" log lines, and also avoid confusing clock jumps if the resolver is slow. Fixes bugs 20423 and 20610; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (client, fascistfirewall):
    • Avoid spurious warnings when ReachableAddresses or FascistFirewall is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.
  • Minor bugfixes (hidden services):
    • Stop ignoring the anonymity status of saved keys for hidden services and single onion services when first starting tor. Instead, refuse to start tor if any hidden service key has been used in a different hidden service anonymity mode. Fixes bug 20638; bugfix on 17178 in 0.2.9.3-alpha; reported by ahf.
  • Minor bugfixes (portability):
    • Work around a bug in the OSX 10.12 SDK that would prevent us from successfully targeting earlier versions of OSX. Resolves ticket 20235.
    • Run correctly when built on Windows build environments that require _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha.
  • Minor bugfixes (single onion services, Tor2web):
    • Stop complaining about long-term one-hop circuits deliberately created by single onion services and Tor2web. These log messages are intended to diagnose issue 8387, which relates to circuits hanging around forever for no reason. Fixes bug 20613; bugfix on 0.2.9.1-alpha. Reported by "pastly".
  • Minor bugfixes (unit tests):
    • Stop spurious failures in the local interface address discovery unit tests. Fixes bug 20634; bugfix on 0.2.8.1-alpha; patch by Neel Chauhan.
  • Documentation:
    • Correct the minimum bandwidth value in torrc.sample, and queue a corresponding change for torrc.minimal. Closes ticket 20085.

Tor 0.2.8.10 is released

There's a new stable version of Tor!

Tor 0.2.8.10 backports a fix for a bug that would sometimes make clients unusable after they left standby mode. It also backports fixes for a few portability issues and a small but problematic memory leak.

You can download the source from the usual place on the website. Packages should be available over the next several days, including a TorBrowser release around December 14. Remember to check the signatures!

Below are the changes since 0.2.8.9.

Changes in version 0.2.8.10 - 2016-12-02

  • Major bugfixes (client reliability, backport from 0.2.9.5-alpha):
    • When Tor leaves standby because of a new application request, open circuits as needed to serve that request. Previously, we would potentially wait a very long time. Fixes part of bug 19969; bugfix on 0.2.8.1-alpha.
  • Major bugfixes (client performance, backport from 0.2.9.5-alpha):
    • Clients now respond to new application stream requests immediately when they arrive, rather than waiting up to one second before starting to handle them. Fixes part of bug 19969; bugfix on 0.2.8.1-alpha.
  • Minor bugfixes (portability, backport from 0.2.9.6-rc):
    • Work around a bug in the OSX 10.12 SDK that would prevent us from successfully targeting earlier versions of OSX. Resolves ticket 20235.
  • Minor bugfixes (portability, backport from 0.2.9.5-alpha):
    • Fix implicit conversion warnings under OpenSSL 1.1. Fixes bug 20551; bugfix on 0.2.1.1-alpha.
  • Minor bugfixes (relay, backport from 0.2.9.5-alpha):
    • Work around a memory leak in OpenSSL 1.1 when encoding public keys. Fixes bug 20553; bugfix on 0.0.2pre8.
  • Minor features (geoip):
    • Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 Country database.

Tor Browser 6.5a5 is released

Tor Browser 6.5a5 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (2.9.5.2) and a fix of our updater code so it can handle unix domain sockets.

The Firefox security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.

Tor Browser users who had set their security slider to "High" are believed to have been safe from this vulnerability.

A note to Linux users: We still require the same update procedure as experienced during the update to 6.5a4: a dialog will be shown asking to either set `app.update.staging.enabled` or `extensions.torlauncher.control_port_use_ipc` and `extensions.torlauncher.socks_port_use_ipc` to `false` (and restart the browser in the latter case) before attempting to update. The fix for this problem is shipped with this release and we will be back to a normal update experience with the update to 6.5a6. We are sorry for this inconvenience.

Here is the full changelog since 6.5a4:

  • All Platforms
    • Update Firefox to 45.5.1esr
    • Update NoScript to 2.9.5.2
  • Linux
    • Bug 20691: Updater breaks if unix domain sockets are used

Tor Browser 6.5a5-hardened is released

A new hardened Tor Browser release is available. It can be found in the 6.5a5-hardened distribution directory and on the download page for hardened builds.

This release features an important security update to Firefox and contains, in addition to that, an update to NoScript (2.9.5.2) and a fix of our updater code so it can handle unix domain sockets.

The Firefox security flaw responsible for this urgent release is already actively exploited on Windows systems. Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately. A restart is required for it to take effect.

Tor Browser users who had set their security slider to "High" are believed to have been safe from this vulnerability.

Note regarding updating: We still require the same update procedure as experienced during an update to 6.5a4-hardened: a dialog will be shown asking to either set `app.update.staging.enabled` or `extensions.torlauncher.control_port_use_ipc` and `extensions.torlauncher.socks_port_use_ipc` to `false` (and restart the browser in the latter case) before attempting to update. The fix for this problem is shipped with this release and we will be back to a normal update experience with the update to 6.5a6-hardened. We are sorry for this inconvenience.

Here is the full changelog since 6.5a5-hardened:

  • All Platforms
    • Update Firefox to 45.5.1esr
    • Update NoScript to 2.9.5.2
    • Bug 20691: Updater breaks if unix domain sockets are used

Tor at the Heart: TorBirdy

During the month of December, we're highlighting other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Check out our blog each day to learn about our fellow travelers. And please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

TorBirdy

TorBirdy automatically connects you through the Tor network whenever you log into Thunderbird email. TorBirdy also enhances the privacy settings of Thunderbird and configures it for use over the Tor network. This makes it so your location is anonymous when you check and send your email, making it more difficult for companies or governments to assemble a profile of your online activity.

Under normal circumstances, your email provider can see your IP address whenever you check your email. In addition, your IP address is imprinted within the header of the message whenever you send an email, so the email recipient can see it. TorBirdy reroutes your email through the Tor network, effectively bouncing it around different computers across the globe before delivering it. Your email provider and the recipient of the email will see your IP address as being from a random location rather than your actual location. If you set up an email account over Tor and check your email using TorBirdy, your email can't be related back to you, greatly increasing your anonymity when it comes to using email.

TorBirdy is an extension for ​Mozilla Thunderbird that is still in beta, but it is already available in 27 languages. You can download it from the Tor Project's website. Tails also ships with TorBirdy.

TorBirdy 0.2.1 is released

We are pleased to announce the seventh beta release of TorBirdy: TorBirdy 0.2.1.

This release fixes an annoying usability issue where TorBirdy sets the calendar timezone to UTC thus overriding the local timezone and breaking the calendar functionality; see commit 3ea8e5d and Bug 20157 for more information.

If you are using TorBirdy for the first time, visit the wiki to get started.

There are currently no known leaks in TorBirdy but please note that we are still in beta, so the usual caveats apply.

Here is the complete changelog since v0.2.0 (released on 23 June 2016):

0.2.1, 30 Nov 2016
* Bug 20157: Do not set calendar timezone to UTC
* Bug 20750, 20644: Ensure RSS feeds are displayed in plain text
* Revert setting no_proxies_on to an empty string (see commit b2f6a45b)
* Added support for automatic configuration of systemli.org email accounts

We offer two ways of installing TorBirdy: by visiting our website (GPG signature; signed by 0xB01C8B006DA77FAA) or by visiting the Mozilla Add-ons page for TorBirdy. Please note that there may be a delay -- which can range from a few hours to days -- before the extension is reviewed by Mozilla and updated on the Add-ons page.

(Packages for Debian GNU/Linux will be created and uploaded shortly by Ulrike Uhlig.)

Syndicate content Syndicate content